malwarewikiaorg-20200223-history
Mimail
Mimail is an email worm on Microsoft Windows that steals passwords and was reported to have caused billions of dollars in damage. Behavior The worm arrives as an email that appears to be from the administrator of the user's domain. If your mail address is kiki_the_black_cat@kitty.cc, the sender line will read admin@kitty.cc. The subject line is "your account" followed by a random string of numbers and letters. The message body informs the user that there is important information about their email account in the attached zip file, Message.zip. Message.zip contains an htm file, Message.htm, which once opened in unpatched versions of Internet Explorer, creates the file Foo.exe in the temporary internet files folder. Foo.exe is actually the Mimail worm. While Foo.exe is running, the browser shows a black field with red text saying "Please wait loading message.....". Mimail copies itself to the Windows folder as Videodrv.exe. The worm adds the value "VideoDriver = (Windows directory)\videodrv.exe" Local Machine registry key that runs programs on startup It creates another registry key with the value "{11111111-1111-1111-1111-111111111111}". The worm will capture text from some windows and send the information to a specific email address. The worm then saves three files to the Windows directory, one, Zip.tmp, a temporary copy of the attachment, Message.zip, a copy of Message.html and eml.tmp, where it will store the email addresses it finds. Mimail collects email addresses from local files and writes them to the file Windir\eml.tmp. The email addresses will be collected from files with the following extensions: *.bmp *.jpg *.gif *.exe *.dll *.avi *.mpg *.mp3 *.vxd *.ocx *.psd *.tif *.zip *.rar *.pdf *.cab *.wav *.com The worm has its own Zip file format for creating the Zip file and has its own SMTP engine to send infected files. It also has its own smtp engine to send copies of itself. Variants Mimail.B Milmail.B is a mass-mailing worm that targets computers running certain versions of Microsoft Windows that do not have Microsoft Security Bulletins MS02-015 and MS03-014 installed. The worm sends itself as an attachment to email addresses on the infected computer. The worm is activated when the user opens the attachment. Mimail.C Mimail.C is a mass-mailing worm that spreads in emails as a ZIP archive that contains the worm's executable with PHOTOS.JPG.EXE name. The worm tries to perform a DoS (Denial of Service) attack on certain sites and to steal information from infected computer users. Mimail.D Mimail.D is a mass-mailing worm that targets computers running certain versions of Microsoft Windows that do not have Microsoft Security Bulletins MS02-015 and MS03-014 installed. The worm sends itself to e-mail addresses that it finds on the infected computer. The worm is activated when the user opens the attachment. The worm also gathers and transmits user account numbers and passwords. Mimail.E Mimail.E is a mass-mailing worm that is a close variant of Mimail.C worm. Mimail.F Mimail.F is a mass-mailing worm that targets certain versions of Microsoft Windows. The worm sends itself as an attachment to email addresses on an infected computer. The worm is activated when the user opens the attachment. The worm also launches denial of service (DoS) attacks against certain Websites. Mimail.G Mimail.G is a mass-mailing worm that targets certain versions of Microsoft Windows. The worm sends itself as an attachment to e-mail addresses on an infected computer. The worm is activated when the user opens the attachment. The worm also launches denial of service (DoS) attacks against certain Websites. It is a variant of Mimail.C that is packed with UPX. Mimail.H Mimail.H is a mass-mailing worm that has a compressed size of 10,784 bytes and is a minor variant of Mimail.E. Mimail.I Mimail.I is a mass-mailing worm that attempts to steal credit card information. The worm displays a form that asks the user to enter their credit card information. (See the "Technical Details" section for an illustration of a fake "PayPal Secure Application" window.) This information is saved and later emailed to several predetermined email addresses. Mimail.J Mimail.J is a mass-mailing worm which disguises itself as an email from Paypal on-line payment service and tries to steal credit card information. It arrives with the subject "IMPORTANT" and attachment named www.paypal.com.pif. Mimail.K Mimail.K is a mass-mailing worm that targets certain versions of Microsoft Windows. The worm sends itself as an attachment to email addresses that it finds on the infected computer. The worm is activated when the recipient opens the attachment. It is also a minor variant of Mimail.E. Mimail.L Mimail.L is a mass-mailing worm which is a variant of Mimail.C that spreads by email and steals information from infected computers. Mimail.M Mimail.M is a mass-mailing worm which is a variant of Mimail.L. Mimail.R Mimail.R is a mass-mailing worm that targets certain versions of Microsoft Windows. It is also known as Mydoom. Sources Atli Gudmundsson, Scott Geddis, Symantec.com, W32.Mimail.A@mm F-Secure Computer Virus Information Pages, Mimail.A Category:Worm Category:Mass mailer worm Category:Billion dollar damage Category:Social engineer Category:Cplusplus Category:Email worm Category:SMTP engine worm Category:Win32 worm Category:Win32